[Dshield] Mangled traffic and its effects on IDS performance

Cefiar cef at optus.net
Wed Apr 11 03:53:21 GMT 2007


On Wednesday 11 April 2007 00:02, Pete Cap wrote:
> Packet analysis with wireshark shows that about 1/3 of the packets, at any
> given time, are dupes, transmitted out-of-order, are truncated, etc. 
> Basically, it's pretty mangled.  If you look at transmission times, about
> half the traffic is fine, and about 1/3 is very, very slow.  So, in
> statistical terms, it's like there are two distributions.

Re: the dupes...

Find both the source and the destination, and from the source (or as close to 
it as possible) check the turn-around time to the destination.

I've had cases where long turn-around times on a combination of a wireless 
network and a VPN caused a number of dupes simply because one of the TCP 
stacks was optimised to resend packets if there was no ACK within a short 
time period (it was expecting a fast LAN environment). You may find that the 
transmission time is just a few milliseconds too long, and some simple 
tweaking might reduce the dupe overhead. It won't fix all of the slowness, 
but it will reduce the number of dupes on the pipe, which means more time 
will be free for valid data transmission rather than errornous 
retransmission.

BTW: Remember that every OS handles this sort of thing differently, and not 
all of them obey standards, mainly because while standards are a nice idea, 
sometimes they are impractical for the application at hand. This is not to 
say that that I approve of breaking standards, but that I can see "why" they 
are doing it. Of course, when you get everyone changing things about, the 
chances of hitting a problem increases.

I'd also try classifying the data into destination/protocol/port groups, and 
see if there is any correlation between the groups and the amount of dupe/tx 
OoO/truncated traffic in each group. This will give you a better insight into 
just what is causing the problem and what is going on.

-- 
 Stuart Young - aka Cefiar - cef at optus.net


More information about the list mailing list